Banking Board of Ecuador

RESOLUTION No. JB-2015-3402

THE BANKING BOARD

CONSIDERING:

THAT this appeal is resolved in accordance with the First Transitional Provision of the Organic Monetary and Financial Code, published in the Official Register Second Supplement No. 332 of September 12, 2014, whose text states that resolutions contained in the Codification of Resolutions of the Superintendency of Banks and Insurance and the Banking Board, and norms issued by control bodies, will remain in effect insofar as they do not oppose what is provided in the Organic Monetary and Financial Code, until the Monetary and Financial Policy and Regulation Board resolves what corresponds, according to the case; and with the second paragraph of the Third Transitional Provision, which states that the Banking Board will continue to act until it resolves all claims, appeals, and other administrative procedures it was handling as of the date of entry into force of the same, within a period of one hundred and eighty days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board;

THAT through a communication entered into the Superintendency of Banks on October 22, 2013, Mr. Dalton Alexander Ordóñez Rodríguez, filed his claim against Banco de Guayaquil S.A., requesting that the aforementioned Bank be ordered to return the sum of US$ 2,000.00, debited from his savings account, basing his claim on: a) That on October 21, 2013, an electronic transfer was made without his authorization for the amount of US$ 2,000.00 from his savings account No. 15233414; b) That he never received any notification via email as is the correct procedure in this type of transaction;

THAT through a communication of October 24, 2014, the claimant submits to this control body a copy of the response from Banco de Guayaquil S.A., regarding procedure SBSGYE-2013-28739, in which it is indicated that the financial institution cannot favorably attend the request for reimbursement of funds, since the transfer in question was carried out through the Virtual Banking channel entering information that only the user knows;

THAT the Guayaquil Intendency through letter No. DAYEU-ISFP-REQ-2013-1440 of November 13, 2013, admitted the claim for processing and transferred it to the knowledge of Banco de Guayaquil S.A., the claim presented by Mr. Dalton Alexander Ordóñez Rodríguez, and requested that within five days present the explanations and defenses related to the present case;

THAT through letter No. UAC-SBS-2013-660, received in the Superintendency on December 10, 2014, Mr. Víctor Hugo Alcivar Álava, Executive Vice President – General Manager of Banco de Guayaquil S.A., presented the explanations and defenses related to the claim presented by Mr. Dalton Alexander Ordóñez Rodríguez, basing his action, mainly, on the following:

"(...) Within the review carried out and according to what was stated by Mr. Dalton Alexander Ordóñez Rodríguez, it was determined that the client was a victim of computer fraud known as "Phishing", which is the act of fraudulently acquiring through deception personal information such as passwords or other sensitive client information, it consists of the ability to duplicate

---

Resolution No. JB-2015-3402

Page 2

maliciously bank web pages and indiscriminately send emails so that this page is accessed and the user provides the confidential and non-transferable access data to their bank.

The entity has an efficient fraud prevention system that includes an authentication process in Virtual Banking that begins with the creation of a user, and an alphanumeric key, the selection of a security image and the assignment of the name to the image, as well as answers to challenge questions (Credit Bureau) and personal nature, which constitutes the validation of the client's identification in this channel.

During the access process to the Virtual Banking of Banco de Guayaquil S.A., upon entering the user that identifies the client, the security image and the name assigned to it are displayed, factors that identify the authenticity of the bank's web page, prior to entering the password defined by the client.

This process includes the Bancontrol card, which is a coordinate card system, a tool that increases the security of static passwords and constitutes an additional barrier against electronic fraud, this mechanism provides random keys to give peace of mind to our clients, in transactions involving the movement of funds, the use of the Bancontrol coordinate card is mandatory.

Additionally, to make transfers through Virtual Banking, it is necessary to register the beneficiary account, a process in which the system sends a security code to the email registered by the client in the bank; this code must be entered on the Virtual Banking page, prior to entering the coordinates that are requested randomly, for the execution of the transaction, evidently, for access to the client's email it is necessary that the user has the personal password.

The fund transfer was carried out through Virtual Banking, using coordinate card No. 82993, which was delivered to the client on September 23, 2010.

It is important to mention that our institution on its website: www.bancoguayaquil.com. shows its clients the following security message "Remember that Banco de Guayaquil does not send email or text message, requesting information on personal data, Bancontrol card coordinates, user, password of your accounts or credit cards, do not access any link included in an unknown email";

THAT through letter No. IRG-DAYEU-V-R-2014-288 of April 8, 2014, the Regional Intendency of Guayaquil, favorably attended the claim presented by Mr. Dalton Alexander Ordóñez Rodríguez, resolving to order the controlled financial institution to proceed to restore to the claimant the sum of US$ 2,000.00, in the savings account No. 15233414 that he maintains in the aforementioned bank, value that corresponds to an unauthorized transfer by the user via internet;

THAT through communication entered on April 24, 2014, Banco de Guayaquil S.A., filed an appeal for reconsideration against the content of letter No. IRG-DAYEU-V-R-2014-288 of April 8, 2014 and with letter No. IRG-DAYEU-V-R-2014-629 of June 18 of

---

Resolution No. JB-2015-3402

Page 3

2014, the Intendency of Guayaquil resolved to reject the appeal for reconsideration and confirm the administrative act contained in letter No. IRG-DAYEU-V-R-2014-288 of April 8, 2014, for the motivation contained therein;

THAT with communication entered in the Superintendency of Banks on July 4, 2014, Mr. Víctor Hugo Alcivar Álava, Executive Vice President – General Manager of Banco de Guayaquil S.A., filed a review appeal before the Banking Board against letter No. IRG-DAYEU-V-R-2014-629 of June 18, 2014; and, with letter No. JB-2014-1789 of July 10, 2014, the lawyer Pablo Cobo Luna, Secretary of the Banking Board, accepted the review appeal filed for processing; and, with letter No. JB-2014-1790, of the same day, month and year, Mr. Dalton Alexander Ordóñez Rodríguez was notified of the acceptance of the aforementioned appeal;

THAT the review appeal is based on arguing mainly:

• That "The transaction subject of this claim was carried out on October 21, 2013, through the Virtual Banking transactional channel, and for this the keys and coordinates contained in the Bancontrol Coordinate Card No.-82993 were used, the exclusive responsibility of Mr. DALTON ALEXANDER ORDÓÑEZ RODRÍGUEZ.";

• That "(...) the transaction in question was correctly processed, because in it the system validated the client's key and coordinates, which are only known and safeguarded by him, without requiring any additional verification."; and,

• That "through report No. FR-I-2013-372, the movements of transactions carried out by the client through Virtual Banking in the nine months prior to the claimed transactions were reviewed and it was verified that transactions have been carried out from DIFFERENT IP ADDRESSES, that is, it is not that the client used a habitual IP..."; and,

• That "...the only cause for which the authority can order the reimbursement of the claimed values is when the controlled institution commits an incorrect procedure that causes harm to the claimant (...)";

THAT articles 52 and 66 numeral 25, of the Constitution of the Republic of Ecuador; and, numeral 2 of article 4 of the Organic Law of Consumer Defense, establish the right of persons to dispose of goods and services of optimal quality; in such virtue, Banco de Guayaquil S.A., by offering various services to its clients, among which is the transfer of funds through its Virtual Banking, is obliged to evaluate and demand the necessary security measures in order to provide a service of optimal quality to its clients;

THAT regarding what was argued by Banco de Guayaquil S.A., in which it highlights the observance and compliance with the corresponding security measures in electronic channels, ATMs, points of sale and electronic banking, article 4, chapter V "On Operational Risk Management", title X "On Risk Management and Administration", book I "General Norms for the application of the General Law of Financial System Institutions", of the Codification of Resolutions of the Superintendency of Banks and the Banking Board, states:

---

Resolution No. JB-2015-3402

Page 4

"ARTICLE 4.- With the purpose that the probability of incurring financial losses attributable to operational risk is minimized, the following aspects must be adequately administered, which are interrelated:

(...)

4.3 Information Technology.- Controlled institutions must have information technology that guarantees the capture, processing, storage and transmission of information in a timely and reliable manner; avoid business interruptions and ensure that information, including that under the modality of services provided by third parties, is integral, confidential and available for appropriate decision making.

To consider the existence of an appropriate operational risk management environment, controlled institutions must formally define policies, processes and procedures that ensure adequate planning and administration of information technology. These policies, processes and procedures will refer to:

(...)

4.3.8 Security measures in electronic channels.- With the object of guaranteeing that transactions carried out through electronic channels have the controls, measures and security elements to avoid the commission of fraudulent events and guarantee the security and quality of user information as well as the assets of clients in charge of controlled institutions, these must comply at least with the following:

(...) 4.3.8.8. Offer clients the necessary mechanisms so that they personalize the conditions under which they wish to carry out their transactions through the different electronic channels and cards, within the conditions or maximum limits that each entity must establish.

Among the main conditions of personalization by each type of electronic channel, there must be: registration of the accounts to which they wish to make transfers, registration of authorized computer IP addresses, the authorized mobile phone number(s), maximum amounts per daily, weekly and monthly transaction, among others (...);"

THAT file Internal Report No. FR-I-2013-372 dated October 22, 2013, which contains the review of the claim of Mr. Dalton Alexander Ordóñez Rodríguez, signed by the Claims and Fraud Unit of Banco de Guayaquil S.A., highlights the following:

"(...) ITREPORTS application was reviewed for the client's account movements, from the date corresponding to the claimed transactions, observing that they were processed through IP address 200.37.251.170, which is located in Lima, Peru (...)

---

Resolution No. JB-2015-3402

Page 5

The movements of transactions carried out by the client through Virtual Banking in the nine months prior to the claimed transactions were verified and it was verified that transactions have been carried out from different IP addresses. (...)

(...) CONCLUSION:

Based on the background and the review of the claim presented by the client, it is concluded that it is IMPROPER because the client was probably a victim of computer fraud, which consists in obtaining personal information fraudulently, through fake web pages, emails that seem to come from the bank, through which the client provided information and coordinate keys";

THAT Banco de Guayaquil S.A. itself in the aforementioned report No. FR-I-2013-372, is acknowledging that in the present case there was "computer fraud", with which it is acknowledging the lack of security in its electronic channels; and, is exempting the client from any responsibility;

THAT Banco de Guayaquil S.A. demonstrates through its defenses that the only way to register or register both IP addresses and accounts is through access to Virtual Banking, which is exclusively achieved with the validation of the key granted to its clients, therefore that clients compromise this information frees the bank from any responsibility for the mishandling of this key; however in the case at hand it is not evident that Mr. DALTON ALEXANDER ORDÓÑEZ RODRÍGUEZ has compromised at any time his access key to virtual banking nor neglected the custody of the "Bancontrol" coordinate card, granted by the controlled entity; but on the contrary from the review of the file it is determined that the transactions have been carried out from IP address 200.37.251.170, the file contains the history of interbank transfer transactions, in which are the IP addresses from where Mr. Dalton Alexander Ordóñez Rodríguez has carried out operations through Virtual Banking, it can be appreciated that the transaction subject of the claim was carried out from an IP not habitual for the claimant to make transfers, nor registered by him for such purposes, in addition it was verified electronically that the claimed transaction was made from Peru;

THAT the integral risk management which is one of the responsibilities attributed to institutions that are part of the Financial System, by virtue of that, the Codification of Resolutions of the Superintendency of Banks and the Banking Board, in its book I "General Norms for the application of the General Law of Financial System Institutions", title X "On risk management and administration", chapter I "On integral risk management and control" establishes in its third article the following:

"ARTICLE 3.- Financial system institutions have the responsibility to manage their risks, to which effect they must have formal integral risk management processes that allow identifying, measuring, controlling / mitigating and monitoring the risk exposures they are assuming.";

THAT the second paragraph of article 5 of chapter IV "Procedure for the attention of claims against Financial System Institutions", title XX "Of the

---

Resolution No. JB-2015-3402

Page 6

Superintendency of Banks and Insurance", book I "General norms for the application of the General Law of Financial System Institutions" of the Codification of Resolutions of the Superintendency of Banks and the Banking Board, provides:

"ARTICLE 5.- (...) If the situation that motivated the claim referred to in the previous paragraph, originated in an incorrect procedure of the controlled institution, which has caused harm to the claimant, the Superintendency of Banks and Insurance may order the return of the claimed values, in exercise of the functions and attributes contemplated in letters b) and o) of article 180 of the General Law of Financial System Institutions, granting the legal representative of the entity a period that cannot exceed fifteen (15) days from the notification to send, under the precautions of Law, the proof of compliance with the order issued.";

THAT the main foundation exposed by the claimant is the existence of the unauthorized bank transfer, through virtual banking, which is evidenced in the defenses presented by Banco de Guayaquil S.A., through which the controlled entity maintained that the transfer in question was carried out by compromising personal information such as the virtual banking key and the lack of custody of the "Bancontrol" coordinate card, by the claimant. The banking institution intends to transfer to the financial user the risks inherent to the organization and execution of the transfer service through electronic channels offered by the institution, holding him responsible for the same by giving a bad use to his access key to virtual banking and by allegedly compromising the custody of his "Bancontrol" coordinate card, facts of which there is no record in the file of the case at hand, foundation that also allowed through the administrative act contained in letter No. IRG-DAYEU-V-R-2014-288 of April 8, 2014, to reject the claims of the appellant, insisting that it is not appropriate to place the responsibility for the possible lack of custody and care of the information of the "Bancontrol" coordinate card on the claimant and, therefore, the responsibility of said transactions carried out via internet;

THAT it must be clarified that the order to restore the claimed values does not constitute a sanction, but the faculty derived from article 5, chapter IV "Procedure for the attention of claims against financial system institutions", title XX "Of the Superintendency of Banks and Insurance", book I "General norms for the application of the General Law of Financial System Institutions", of the Codification of Resolutions of the Superintendency of Banks and Insurance and the Banking Board, since the financial institution incurred in an incorrect procedure by not complying with all the security measures in electronic channels corresponding;

THAT the National Legal Intendency, through memorandum INJ-DNJ-SAL-2015-0065 of January 27, 2015, recommended to the Banking Board to reject the claim contained in the appeal filed by the Executive Vice President – General Manager of Banco de Guayaquil S.A.; and,

IN exercise of its legal attributes,

---

Resolution No. JB-2015-3402

Page 7

RESOLVES:

SINGLE ARTICLE.- REJECT the claim contained in the review appeal filed by Mr. Víctor Hugo Alcivar Álava, Executive Vice President – General Manager of Banco de Guayaquil S.A.; and consequently, CONFIRM letter No. IRG-DAYEU-V-R-2014-629 of June 18, 2014, with which the Regional Intendency of Guayaquil S.A. confirmed the administrative act contained in letter No. IRG-DAYEU-V-R-2014-288 of April 8, 2014, through which it ordered Banco de Guayaquil S.A. that "(...)proceed to restore to Mr. DALTON ALEXANDER ORDÓÑEZ RODRÍGUEZ the sum of TWO THOUSAND 00/100 DOLLARS OF THE UNITED STATES OF AMERICA ($ 2,000.00), in the savings account No. 15233414 that he maintains in the aforementioned bank, value that corresponds to the unauthorized transfer by the user via internet.(...)".

NOTIFY.- Given in the Superintendency of Banks and Insurance, in Quito, Metropolitan District, on May eight, two thousand fifteen.

Econ. Rodrigo Landeta Parra
GENERAL INTENDENT (S)
PRESIDENT OF THE BANKING BOARD SESSION (E)

I CERTIFY.- Quito, Metropolitan District, on May eight, two thousand fifteen.

Lcdo. Pablo Cobo Luna
SECRETARY OF THE BANKING BOARD

---

Banking Board of Ecuador